Compliance of AppExchange Apps for Government Cloud

AppExchange Compliance

Before listing an app on AppExchange, Salesforce mandates rigorous adherence to comprehensive security review processes. Stringent measures are established and consistently maintained for apps available to Salesforce Government Cloud users. Compliance standards are especially important for apps designed specifically for Government Cloud. These standards play a critical role in upholding data security and fulfilling regulatory requirements vital to Government Cloud.

Compliance Control Enhancements

Before you install an app on your Government Cloud org, ensure that the app meets your organizational requirements. Work with your Authorizing Official (AO) to verify the appropriate list of controls for your organization. If you're a United States government agency, verify with your AO the appropriate list of controls that meet organizational requirements for single-tenant apps deployed to a Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense (DoD) compliant platform as a service (PaaS).

The FedRAMP Third-Party Assessment Organization (3PAO) used for Government Cloud recommends specific controls for assessing Salesforce native apps, which you can reference at: https://nvd.nist.gov/800-53. FedRAMP provides a catalog of controls for systems and organizations to manage information security and privacy risk.

This list of controls outlines the baseline requirements for service providers to maintain secure cloud services.

Awareness Response Training

• AT-2 - SECURITY AWARENESS TRAINING
• AT-2 (2) - SECURITY AWARENESS TRAINING | INSIDER THREAT
• AT-3 - ROLE-BASED SECURITY TRAINING
• AT-4 - SECURITY TRAINING RECORDS

Incident Response Training

• IR-2 - INCIDENT RESPONSE TRAINING
• IR-3 - INCIDENT RESPONSE TESTING
• IR-3 (2) - INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
• IR-4 - INCIDENT HANDLING
• IR-4 (1) - INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
• IR-5 - INCIDENT MONITORING
• IR-6 - INCIDENT REPORTING
• IR-6 (1) - INCIDENT REPORTING | AUTOMATED REPORTING
• IR-7 - INCIDENT RESPONSE ASSISTANCE
• IR-7 (1) - INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT
• IR-7 (2) - INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS
• IR-8 - INCIDENT RESPONSE PLAN
• IR-9 - INFORMATION SPILLAGE RESPONSE
• IR-9 (1) - INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL
• IR-9 (2) - INFORMATION SPILLAGE RESPONSE | TRAINING
• IR-9 (3) - INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS
• IR-9 (4) - INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL

Position Risk Designation

• PS-2 - POSITION RISK DESIGNATION
• PS-3 - PERSONNEL SCREENING
• PS-3 (3) - PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES
• PS-4 - PERSONNEL TERMINATION
• PS-5 - PERSONNEL TRANSFER
• PS-6 - ACCESS AGREEMENTS
• PS-7 - THIRD-PARTY PERSONNEL SECURITY
• PS-8 - PERSONNEL SANCTIONS

System Development Life Cycle Designation

• SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE
• SA-5 - INFORMATION SYSTEM DOCUMENTATION
• SA-8 - SECURITY ENGINEERING PRINCIPLES
• SA-10 - DEVELOPER CONFIGURATION MANAGEMENT
• SA-10 (1) - DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION
• SA-11 - DEVELOPER SECURITY TESTING AND EVALUATION
• SA-11 (1) - DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS
• SA-11 (2) - DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY ANALYSES
• SA-11 (8) - DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS

Flaw Remediation Designation

• SI-2 - FLAW REMEDIATION
• SI-2 (2) - FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS
• SI-2 (3) - FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS
• SI-10 - INFORMATION INPUT VALIDATION
• SI-11 - ERROR HANDLING